Update rollup for Microsoft Configuration Manager version 2303

Applies to: Configuration Manager (current branch, version 2303)

Summary of KB21010486

This article describes issues that are fixed in this update rollup for Microsoft Configuration Manager current branch, version 2303. This update applies both to customers who opted in through a PowerShell script to the early update ring deployment, and customers who installed the globally available release. For more information on changes in Configuration Manager version 2303, see:

Known issue: August 14, 2023

Customers reported the following issue after the initial update rollup release on July 24, 2023:

  • Administrators might notice an overall performance degradation in processing data into the site database after installing KB 21010486. For example, collection evaluation, query processing, and site to site replication might be affected.

For customers that installed this update rollup on or before August 2, 2023, a new standalone hotfix is available to resolve the data processing issues:

  • KB 24721208 Slow data processing in Microsoft Configuration Manager version 2303

The revised version of the update rollup that prevents the performance issue described is now available.

This update appears in the Updates and Servicing node of the Configuration Manager console for customers that didn't install the initial (v1) release. It is displayed as KB24719670.

Issues that are fixed

  • The Configuration Manager console terminates unexpectedly when saving changes to a custom Software Center client setting that was created prior to version 2111.
  • The Enable BitLocker task sequence step fails when used in combination with the PROVISIONTS parameter. This happens if the option to escrow the recovery key is enabled. Errors resembling the following are recorded in the smsts.log file.
    Failed to CreateRecoveryPassword (0x800401F3)
    Failed to configure key protection (0x800401F3)
    Failed to run the action: Enable BitLocker. Error -2147221005
  • Active Directory Group Discovery data records (DDRs) are rejected for clients that are discovered first by the Heartbeat Discovery method. Errors resembling the following are recorded in the ddm.log file on the site server.
    DDR timestamp of "5/7/2023 3:05:02 AM" for agent "SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT" is older than existing record's timestamp of "5/7/2023 12:22:15 PM"
  • The Configuration Manager console terminates with a System.ArgumentOutOfRangeException message when comparing string and array data using the Create Scripts feature.
  • Windows Defender Exploit Guard - Attach Surface Reduction (ASR) policies don't apply as expected to Windows Server operating systems. Note this fix only applies to environments where Intune manages the Endpoint Protection workload. If the Manage Endpoint Protection client on client computers is set to Yes in Device Settings, the original behavior still applies.
  • User collections based on Azure Active Discovery won't contain Hybrid users after a full discovery cycle runs.
  • Active Directory Group discovery data incorrectly supersedes Microsoft Entra group discovery data, leading to inconsistencies in reporting and collection structure.
  • The SMS_CLOUD_PROXYCONNECTOR role goes dormant after a cloud management gateway (CMG) is offline for upgrades or maintenance. When this happens clients are unable to connect to the CMG until the SMS Executive service is restarted.
  • The SMS Executive service periodically uses 100% of available CPU time on cloud management gateway instances. This sometimes happens after a CMG instance is restarted.
  • Windows updates using the Unified Update Platform (UUP) might fail to download during an OS deployment task sequences. Errors resembling the following are shown in the DeltaDownload.log when this happens.
    DeltaDownloadStartup task is starting...
    Failed on startup task, error code 80070057 
    DeltaDownloadShutdownTask task is starting... 
    Update with CIID Site_{SiteID}/SUM_{GUID} failed with hr = 0x80d02002 
  • After synchronizing collection members to Microsoft Entra groups, further synchronizations might unexpectedly delete the group members. Additionally, in large environments the synchronization process might not complete when both AD user discovery and Microsoft Entra user discovery are both enabled and run with overlapping schedules.
  • The size of the patchdownloader.log file is now configurable; it was previously limited to 1 megabyte (MB). The new default size is 5 MB and is configurable by modifying or creating the following registry key:


    DWORD LogMaxSize

    Value - size in bytes

Update information for Microsoft Configuration Manager current branch, version 2303

This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using early update ring or globally available builds of version 2303.

To verify which build is in use, look for a Package GUID by adding the Package GUID column to the details pane of the Updates and Servicing node in the console. The update applies to installations from packages that have the following GUIDs:

  • 2B85942D-2F3A-4B8C-AFA7-20C37E3BB266
  • 1A251438-E9B5-42EF-8AAC-48B6E1790D9F

Restart information

This update doesn't require a computer restart but will initiate a site reset after installation.

Additional installation information

After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select Administration > Site Configuration > Sites > Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site aren't affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.

Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.

If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.

Version information

The following major components are updated to the versions specified:

Component Version
Configuration Manager console 5.2303.1089.1300
Client 5.0.9106.1015

File information

File information for the original July 24 release is available in the downloadable KB21010486_FileList.txt text file. File information for the revised August 14 release is available from [https://aka.ms/KB24719670_FileList]

Release history

  • July 24, 2023: Initial hotfix release
  • August 2, 2023: Article revised to address data processing performance issue
  • August 14, 2023: Revised update rollup released to prevent performance issue


Updates and servicing for Configuration Manager